ChiliProject 2.7.3 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.
This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.2. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.
We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.
2.7.3 includes two security fixes which were backported from ChiliProject 3.2.2.
- Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
- Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)
The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.2.